1 User Accounts

All user accounts are to be defined in Active Directory

The built in administrator account must be configured in Admin approval mode in all
profiles. The following control needs to be set to enabled:
o Computer Configuration\Windows Settings\Security Settings\Local
Policies\Security Options\User Account Control: Admin Approval Mode
for the Built-in Administrator account

The ability admin users to complete tasks with elevated privileges needs to be
limited by setting the following control to “Prompt for Credentials”
o Computer Configuration\Windows Settings\Security Settings\Local
Policies\Security Options\User Account Control: Behavior of the
elevation prompt for administrators in Admin Approval Mode

The ability for standard users to complete tasks requiring elevated privileges
must be controlled by setting the following control to “Automatically deny
elevation requests”.
o Computer Configuration\Windows Settings\Security Settings\Local
Policies\Security Options\User Account Control: Behavior of the
elevation prompt for standard users.

The control that defines how windows responds to application installation
requests for all profiles must be controlled by setting the following parameter
to “enabled”.
o Computer Configuration\Windows Settings\Security Settings\Local
Policies\Security Options\User Account Control: Detect application
installations and prompt for elevation

The UAC elevation request must be displayed on the secure desktop. This is
done by setting the following parameters.
o Computer Configuration\Windows Settings\Security Settings\Local
Policies\Security Options\User Account Control: Switch to the secure
desktop when prompting for elevation – Set to enabled.
o The following parameter must be set to disabled. Computer
Configuration\Windows Settings\Security Settings\Local
Policies\Security Options\User Account Control: Allow UIAccess
applications to prompt for elevation without using the secure desktop

Windows must be configured to virtualize file and registry writes to user
locations when a non UAC compliant application attempts to write to protected
Windows Server 2008 Security Standard
areas such as %SYSTEMROOT%. All profiles must have the following
parameter set to “Enabled”.
o Computer Configuration\Windows Settings\Security Settings\Local
Policies\Security Options\User Account Control: Virtualize file and
registry write failures to per-user locations
2 User Rights

All users must successfully authenticate to be granted access to the local server from
the network. This is enforced by setting the following control to “Administrators,
Authenticated Users”.
o

No process should be allowed to assume the identity of any other user. For all
profiles the following control must be set to “No one”.
o

Computer Configuration\Windows Settings\Security Settings\Local
Policies\User Rights Assignment\Change the system time
The user right that provides the ability to alter the access token object for any
process or logged on user must be restricted. The following control must be set to
‘no one’.
o

Computer Configuration\Windows Settings\Security Settings\Local
Policies\User Rights Assignment\Bypass traverse checking
The ability for users to change system date/time must be restricted. The following
control must be set to ‘LOCAL SERVICE, Administrators’.
o

Computer Configuration\Windows Settings\Security Settings\Local
Policies\User Rights Assignment\Back up files and directories
Users with no Traverse Folder access permission should be restricted from passing
thru folders as they browse NTFS or the registry. The following control must be set
to ‘Administrators, Authenticated users, Local Service, Network Service’.
o

Computer Configuration\Windows Settings\Security Settings\Local
Policies\User Rights Assignment\Act as part of the operating system
The ability of users to backup files and directories on the system should be restricted
to admin users. The following control must be set to administrators.
o

Computer Configuration\Windows Settings\Security Settings\Local
Policies\User Rights Assignment\Access this computer from the network
Computer Configuration\Windows Settings\Security Settings\Local
Policies\User Rights Assignment\Create a token object
Guest users should be denied access via the network. This is configured using the
following control.
Windows Server 2008 Security Standard
o

The ability to load and unload device drivers needs to be restricted to Administrators.
This is set using the following control.
o

Computer Configuration\Windows Settings\Security Settings\Local
Policies\User Rights Assignment\Replace a process level token.
Access to local logon should be restricted to Administrator users only. The following
control must be set to ‘Administrators’.
o

Computer Configuration\Windows Settings\Security Settings\Local
Policies\User Rights Assignment\Profile single process.
Users should not have the ability to start another service or process with a different
security access token. For all profiles the following control should be set to ‘LOCAL
SERVICE, NETWORK SERVICE’.
o

Computer Configuration\Windows Settings\Security Settings\Local
Policies\User Rights Assignment\Perform volume maintenance tasks
The ability to use tools to monitor the performance of non-system processes should
be restricted to administrators. For all profiles the following control should be set to
‘Administrators’.
o

Computer Configuration\Windows Settings\Security Settings\Local
Policies\User Rights Assignment\Modify firmware environment values
The ability to perform system volume maintenance tasks should be restricted to
administrators users. The following control must be set to administrators.
o

Computer Configuration\Windows Settings\Security Settings\Local
Policies\User Rights Assignment\Manage auditing and security log.
The ability to configure system wide environment variables that affect hardware
configuration must be restricted to administrators. The following control must be set
to administrators.
o

Computer Configuration\Windows Settings\Security Settings\Local
Policies\User Rights Assignment\Load and unload device drivers
The ability for users to change auditing options for files and directories must be
restricted. The following control must be set to ‘Administrators’.
o

Computer Configuration\Windows Settings\Security Settings\Local
Policies\User Rights Assignment\Deny access to this computer from the
network.
Computer Configuration\Windows Settings\Security Settings\Local
Policies\User Rights Assignment\Allow log on locally
Access to Terminal Services logon must be restricted. It is recommended that
access is restricted to Administrator users only using the following control.
Windows Server 2008 Security Standard
o

Access to change the time zone must be restricted to ‘LOCAL SERVICE and
Administrators’ only. The following control must be set.
o

Computer Configuration\Windows Settings\Security Settings\Local
Policies\User Rights Assignment\Restore files and directories
User accounts should not be able to bypass normal access control lists to take
ownership of files and other objects. For all profiles change the following control to
‘Administrators’.
o

Computer Configuration\Windows Settings\Security Settings\Local
Policies\User Rights Assignment\Increase a process working set.
Normal users must not be able to bypass file, directory and other object permissions.
The following control must be set to ‘Administrators’.
o

Computer Configuration\Windows Settings\Security Settings\Local
Policies\User Rights Assignment\Change the time zone
Access to change the size of a process’ working set must be restricted. The
following control must be changed to ‘Administrators, Local Service’.
o

Computer Configuration\Windows Settings\Security Settings\Local
Policies\User Rights Assignment\Allow log on through Terminal Services
Computer Configuration\Windows Settings\Security Settings\Local
Policies\User Rights Assignment\Take ownership of files or other objects
Normal users should not be able to access user credentials via user credential
manager. For all profiles the following control must be set to ‘No One’.
o
Computer Configuration\Windows Settings\Local Policies\User Rights
Assignment\Access credential Manager as a trusted caller.
3 Security Options
The table below lists the windows security options that must be configured on all Windows
2008 servers.
Description
Set to Value
Windows setting
Set minimum session
security for NTLM SSP
based servers
Require NTLMv2 session security,
require 128 bit encryption
Computer Configuration\Windows
Settings\Security Settings\Local
Policies\Security Options\Network security:
Minimum session security for NTLM SSP
based (including secure RPC) servers
Rename default
administrator account.
A non default value eg: ‘NSC-admin’
Computer Configuration\Windows
Settings\Security Settings\Local
Policies\Security Options\Accounts: Rename
Windows Server 2008 Security Standard
administrator account
The default Guest
account should be
disabled
Disabled
Computer Configuration\Windows
Settings\Security Settings\Local
Policies\Security Options\Accounts: Guest
account status.
Disable anonymous
SID/Name translation
Disabled
Computer Configuration\Windows
Settings\Local Policies\Security
Options\Network access: Allow anonymous
SID/Name translation
Disable remote
authentication using
blank passwords.
disable
Computer Configuration\Windows
Settings\Security Settings\Local
Policies\Security Options\Accounts: Limit
local account use of blank passwords to
console logon only
Restrict authority to
remove NTFS
formatted media
Administrators
Computer Configuration\Windows
Settings\Security Settings\Local
Policies\Security Options\Devices: Allowed to
format and eject removable media
Prevent users from
installing printer drivers
Enabled
Computer Configuration\Windows
Settings\Security Settings\Local
Policies\Security Options\Devices: Prevent
users from installing printer drivers
Restrict CD-ROM
access to locally
logged-on user only
Restrict CD-ROM
access to locally
logged-on user only
Disabled
Computer Configuration\Windows
Settings\Security Settings\Local
Policies\Security Options\Devices: Restrict
CD-ROM access to locally logged-on user
only
Digitally encrypt or
sign secure channel
data
Enabled
Computer Configuration\Windows
Settings\Security Settings\Local
Policies\Security Options\Domain member:
Digitally encrypt or sign secure channel data
(always)
Disable machine
account password
changes
Disabled
Computer Configuration\Windows
Settings\Security Settings\Local
Policies\Security Options\Domain member:
Disable machine account password changes
Do not display last
user name
Enabled
Computer Configuration\Windows
Settings\Security Settings\Local
Policies\Security Options\Interactive logon:
Do not display last user name
Message text for users
attempting to log on
Appropriate NSC login banner
Computer Configuration\Windows
Settings\Security Settings\Local
Policies\Security Options\Interactive logon:
Message text for users attempting to log on
Digitally sign SMB
communications
Enabled
Computer Configuration\Windows
Settings\Security Settings\Local
Policies\Security Options\Microsoft network
client: Digitally sign communications (always)
Windows Server 2008 Security Standard
Microsoft network
client: Digitally sign
communications (if
server agrees)
Enabled
Computer Configuration\Windows
Settings\Security Settings\Local
Policies\Security Options\Microsoft network
client: Digitally sign communications (if server
agrees)
Send unencrypted
password to third-party
SMB servers
Disabled
Computer Configuration\Windows
Settings\Security Settings\Local
Policies\Security Options\Microsoft network
client: Send unencrypted password to thirdparty SMB servers
Amount of idle time
required before
suspending session
15 minutes
Computer Configuration\Windows
Settings\Security Settings\Local
Policies\Security Options\Microsoft network
server: Amount of idle time required before
suspending session
Digitally sign
communications
(always)
Enabled
Computer Configuration\Windows
Settings\Security Settings\Local
Policies\Security Options\Microsoft network
server: Digitally sign communications
(always)
Do not allow
anonymous
enumeration of SAM
accounts
Enabled
Computer Configuration\Windows
Settings\Security Settings\Local
Policies\Security Options\Network access: Do
not allow anonymous enumeration of SAM
accounts
Do not allow storage of
credentials or .NET
Passports for network
authentication
Enabled
Computer Configuration\Windows
Settings\Security Settings\Local
Policies\Security Options\Network access: Do
not allow storage of credentials or .NET
Passports for network authentication
Let Everyone
permissions apply to
anonymous users
Disabled
Computer Configuration\Windows
Settings\Security Settings\Local
Policies\Security Options\Network access: Let
Everyone permissions apply to anonymous
users
Named Pipes that can
be accessed
anonymously
Browser
Computer Configuration\Windows
Settings\Security Settings\Local
Policies\Security Options\Network access:
Named Pipes that can be accessed
anonymously
Remotely accessible
registry paths
System\CurrentControlSet\Control\Pro
ductOptions
System\CurrentControlSet\Control\Ser
ver Applications
Software\Microsoft\Windows
NT\CurrentVersion
Computer Configuration\Windows
Settings\Security Settings\Local
Policies\Security Options\Network access:
Remotely accessible registry paths
Restrict anonymous
access to Named
Pipes and Shares
Enabled
Computer Configuration\Windows
Settings\Security Settings\Local
Policies\Security Options\Network access:
Restrict anonymous access to Named Pipes
Windows Server 2008 Security Standard
and Shares
Shares that can be
accessed
anonymously
None
Computer Configuration\Windows
Settings\Security Settings\Local
Policies\Security Options\Network access:
Shares that can be accessed anonymously
Do not store LAN
Manager hash value
on next password
change
Enabled
Computer Configuration\Windows
Settings\Security Settings\Local
Policies\Security Options\Network security:
Do not store LAN Manager hash value on
next password change
Strengthen default
permissions of internal
system objects
Enabled
Computer Configuration\Windows
Settings\Security Settings\Local
Policies\Security Options\System objects:
Strengthen default permissions of internal
system objects (e.g. Symbolic Links)
Force strong key
protection for user
keys stored on the
computer
User must enter a password each
time they use a key
Computer Configuration\Windows
Settings\Security Settings\Local
Policies\Security Options\System
cryptography: Force strong key protection for
user keys stored on the computer
Optional subsystems
None
Computer Configuration\Windows
Settings\Security Settings\Local
Policies\Security Options\System settings:
Optional subsystems
Use Certificate Rules
on Windows
Executables for
Software Restriction
Policies
Enabled
Computer Configuration\Windows
Settings\Security Settings\Local
Policies\Security Options\System settings:
Use Certificate Rules on Windows
Executables for Software Restriction Policies
(AutoAdminLogon)
Enable Automatic
Logon (not
recommended)
Disabled
Computer Configuration\Windows
Settings\Security Settings\Local
Policies\Security Options\MSS:
(AutoAdminLogon) Enable Automatic Logon
(not recommended)
(DisableIPSourceRouti
ng) IP source routing
protection level
(protects against
packet spoofing)
Highest protection, source routing is
completely disabled
Computer Configuration\Windows
Settings\Security Settings\Local
Policies\Security Options\MSS:
(DisableIPSourceRouting) IP source routing
protection level (protects against packet
spoofing)
Allow ICMP redirects
to override OSPF
generated routes
Disable
Computer Configuration\Windows
Settings\Security Settings\Local
Policies\Security Options\MSS:
(EnableICMPRedirect) Allow ICMP redirects
to override OSPF generated routes
Enable the computer
to stop generating 8.3
style filenames
(recommended)
Enabled
Computer Configuration\Windows
Settings\Security Settings\Local
Policies\Security Options\MSS:
(NtfsDisable8dot3NameCreation) Enable the
computer to stop generating 8.3 style
Windows Server 2008 Security Standard
filenames (recommended)
Enable Safe DLL
search mode
(recommended)
Enabled
Computer Configuration\Windows
Settings\Security Settings\Local
Policies\Security Options\MSS:
(SafeDllSearchMode) Enable Safe DLL
search mode (recommended)
How many times
unacknowledged data
is retransmitted
3
Computer Configuration\Windows
Settings\Security Settings\Local
Policies\Security Options\MSS:
(TCPMaxDataRetransmissions) How many
times unacknowledged data is retransmitted
(3 recommended, 5 is default)
IPv6 IP source routing
protection level
Highest protection, source routing is
completely disabled
Computer Configuration\Windows
Settings\Security Settings\Local
Policies\Security Options\MSS:
(DisableIPSourceRouting IPv6) IP source
routing protection level (protects against
packet spoofing)
4 Terminal Services
The table below lists the Terminal Services security options that must be configured on all
Windows 2008 servers that utilize terminal services.
Description
Set to Value
Windows setting
Always prompt client for password
upon connection
enabled
Computer
Configuration\Administrative
Templates\Windows
Components\Terminal
Services\Terminal
Server\Security\Always prompt
client for password upon
connection
Set client connection encryption
level
Enabled:High level.
Computer
Configuration\Administrative
Templates\Windows
Components\Terminal
Services\Terminal
Server\Security\Set client
connection encryption level
Do not allow drive redirection
Enabled
Computer
Configuration\Administrative
Templates\Windows
Components\Terminal
Services\Terminal Server\Device
and Resource Redirection\Do not
allow drive redirection
Do not allow passwords to be
saved
Enabled
Computer
Configuration\Administrative
Templates\Windows
Windows Server 2008 Security Standard
Components\Terminal
Services\Remote Desktop
Connection Client\Do not allow
passwords to be saved
5 Auditing
The table below lists the Audit security options that must be configured on all Windows 2008
servers.
Description
Set to Value
Windows setting
enabled
Force audit policy subcategory
settings
Computer Configuration\Windows Settings\Security
Settings\Local Policies\Security Options\Audit: Force
audit policy subcategory settings (Windows Vista or
later) to override audit policy category settings.
This control defines whether
Internet Protocol security (IPsec)
driver activity is audited
Success and
Failure
Computer Configuration\Windows Settings\Security
Settings\Advanced Audit Policy
Configuration\System Audit Policies - Local Group
Policy Object\System\Audit IPSec Driver\Audit
Policy: System: IPsec Driver
This control defines whether the
audit is activated for changes in
the security state of the system.
Success and
Failure
Computer Configuration\Windows Settings\Security
Settings\Advanced Audit Policy
Configuration\System Audit Policies - Local Group
Policy Object\System\Audit Security State
Change\Audit Policy: System: Security State Change
This control defines whether the
audit is activated for the loading of
extension code such as
authentication packages by the
security subsystem.
Success and
Failure
Computer Configuration\Windows Settings\Security
Settings\Advanced Audit Policy
Configuration\System Audit Policies - Local Group
Policy Object\System\Audit Security System
Extension\Audit Policy: System: Security System
Extension
This control defines whether the
audit is activated for violations of
integrity of the security subsystem.
Success and
Failure
Computer Configuration\Windows Settings\Security
Settings\Advanced Audit Policy
Configuration\System Audit Policies - Local Group
Policy Object\System\Audit System Integrity\Audit
Policy: System: System Integrity
This control defines whether the
audit is activated for when a user
logs off from the system.
Success
Computer Configuration\Windows Settings\Security
Settings\Advanced Audit Policy
Configuration\System Audit Policies - Local Group
Policy Object\Logon/Logoff\Audit Logoff\Audit Policy:
Windows Server 2008 Security Standard
Logon-Logoff: Logoff
This control defines whether the
audit is activated for when a user
attempts to log on to the system.
This control defines whether the
audit is activated when a special
logon is used
This control defines whether the
audit is activated when file objects
are accessed
This control defines whether the
audit is activated when registry
objects are accessed.
This control defines whether the
audit is activated when a user
account or service uses a sensitive
privilege
Success and
Failure
Success
Computer Configuration\Windows Settings\Security
Settings\Advanced Audit Policy
Configuration\System Audit Policies - Local Group
Policy Object\Logon/Logoff\Audit Logon\Audit Policy:
Logon-Logoff: Logon
Computer Configuration\Windows Settings\Security
Settings\Advanced Audit Policy
Configuration\System Audit Policies - Local Group
Policy Object\Logon/Logoff\Audit Special
Logon\Audit Policy: Logon-Logoff: Special Logon
Failure
Computer Configuration\Windows Settings\Security
Settings\Advanced Audit Policy
Configuration\System Audit Policies - Local Group
Policy Object\Object Access\Audit File System\Audit
Policy: Object Access: File System
Failure
Computer Configuration\Windows Settings\Security
Settings\Advanced Audit Policy
Configuration\System Audit Policies - Local Group
Policy Object\Object Access\Audit Registry\Audit
Policy: Object Access: Registry
Success and
Failure
Computer Configuration\Windows Settings\Security
Settings\Advanced Audit Policy
Configuration\System Audit Policies - Local Group
Policy Object\Privilege Use\Audit Sensitive Privilege
Use\Audit Policy: Privilege Use: Sensitive Privilege
Use
This control defines whether the
audit is activated when a process
is created and the name of the
program that created it.
Success
Computer Configuration\Windows Settings\Security
Settings\Advanced Audit Policy
Configuration\System Audit Policies - Local Group
Policy Object\Detailed Tracking\Audit Process
Creation\Audit Policy: Detailed Tracking: Process
Creation
This control defines whether the
audit is activated when change in
audit policy including SACL
changes occur
Success and
Failure
Computer Configuration\Windows Settings\Security
Settings\Advanced Audit Policy
Configuration\System Audit Policies - Local Group
Policy Object\Policy Change\Audit Audit Policy
Change\Audit Policy: Policy Change: Audit Policy
Windows Server 2008 Security Standard
Change
This control defines whether the
audit is activated when changes in
authentication policy occur
This control defines whether the
audit is activated when a computer
account management event, such
as a create, change, rename,
delete, disable or enable event
occurs
This control defines whether the
audit is activated when an account
management event occurs
This control defines whether the
audit is activated when a security
group management event, such as
a create, change or delete event
occurs
This control defines whether the
audit is activated when an AD DS
object is accessed
Success
Success and
Failure
Computer Configuration\Windows Settings\Security
Settings\Advanced Audit Policy
Configuration\System Audit Policies - Local Group
Policy Object\Account Management\Audit Computer
Account Management\Audit Policy: Account
Management: Computer Account Management
Success and
Failure
Computer Configuration\Windows Settings\Security
Settings\Advanced Audit Policy
Configuration\System Audit Policies - Local Group
Policy Object\Account Management\Audit Other
Account Management Events\Audit Policy: Account
Management: Other Account Management Events
Success and
Failure
Computer Configuration\Windows Settings\Security
Settings\Advanced Audit Policy
Configuration\System Audit Policies - Local Group
Policy Object\Account Management\Audit Security
Group Management\Audit Policy: Account
Management: Security Group Management
Success and
Failure
Computer Configuration\Windows Settings\Security
Settings\Advanced Audit Policy
Configuration\System Audit Policies - Local Group
Policy Object\DS Access\Audit Directory Service
Access\Audit Policy: DS Access: Directory Service
Access
(DC only)
This control defines whether the
audit is activated when changes in
Active Directory Domain Services
(AD DS) occur
Computer Configuration\Windows Settings\Security
Settings\Advanced Audit Policy
Configuration\System Audit Policies - Local Group
Policy Object\Policy Change\Audit Authentication
Policy Change\Audit Policy: Policy Change:
Authentication Policy Change
Success and
Failure
(DC Only)
Computer Configuration\Windows Settings\Security
Settings\Advanced Audit Policy
Configuration\System Audit Policies - Local Group
Policy Object\DS Access\Audit Directory Service
Changes\Audit Policy: DS Access: Directory Service
Changes
Success and
Failure
This control defines whether the
audit is activated to report the
results of validation tests on
(DC Only)
Computer Configuration\Windows Settings\Security
Settings\Advanced Audit Policy
Configuration\System Audit Policies - Local Group
Windows Server 2008 Security Standard
credentials submitted by a user
account logon request
Policy Object\Account Logon\Audit Credential
Validation\Audit Policy: Account Logon: Credential
Validation
Windows Server 2008 Security Standard
6 Internet Communication
The table below lists the windows security options that must be configured on all Windows
2008 servers.
Description
Set to Value
Windows setting
Turn off downloading of print
drivers over HTTP
Enabled
Computer
Configuration\Administrative
Templates\System\Internet
Communication
Management\Internet
Communication settings\Turn off
downloading of print drivers over
HTTP
Turn off the "Publish to Web" task
for files and folders
Enabled
Computer
Configuration\Administrative
Templates\System\Internet
Communication
Management\Internet
Communication settings\Turn off
the "Publish to Web" task for files
and folders
Turn off Internet download for Web
publishing and online ordering
wizards
Enabled
Computer
Configuration\Administrative
Templates\System\Internet
Communication
Management\Internet
Communication settings\Turn off
Internet download for Web
publishing and online ordering
wizards
Turn off printing over HTTP
enabled
Computer
Configuration\Administrative
Templates\System\Internet
Communication
Management\Internet
Communication settings\Turn off
printing over HTTP
Turn off Search Companion content
file updates
Enabled
Computer
Configuration\Administrative
Templates\System\Internet
Communication
Management\Internet
Communication settings\Turn off
Search Companion content file
updates
Turn off the Windows Messenger
Customer Experience Improvement
Program
Enabled
Computer
Configuration\Administrative
Templates\System\Internet
Communication
Management\Internet
Windows Server 2008 Security Standard
Communication settings\Turn off
the Windows Messenger Customer
Experience Improvement Program
Turn off Windows Update device
driver searching
Enabled
Computer
Configuration\Administrative
Templates\System\Internet
Communication
Management\Internet
Communication settings\Turn off
Windows Update device driver
searching
Do not process the legacy run list
Enabled
Computer
Configuration\Administrative
Templates\System\Logon\Do not
process the legacy run list
Do not process the run once list
Enabled
Computer
Configuration\Administrative
Templates\System\Logon\Do not
process the run once list
Offer Remote Assistance
Disabled
Computer
Configuration\Administrative
Templates\System\Remote
Assistance\Offer Remote
Assistance
Solicited Remote Assistance
Disabled
Computer
Configuration\Administrative
Templates\System\Remote
Assistance\Solicited Remote
Assistance
RPC Endpoint Mapper Client
Authentication
Not defined
Computer
Configuration\Administrative
Templates\System\Remote
Procedure Call\RPC Endpoint
Mapper Client Authentication
Turn off Autoplay
Enabled:All drives
Computer
Configuration\Administrative
Templates\Windows
Components\AutoPlay
Policies\Turn off Autoplay
Enumerate administrator accounts
on elevation
Disabled
Computer
Configuration\Administrative
Templates\Windows
Components\Credential User
Interface\Enumerate administrator
accounts on elevation
Require trusted path for credential
entry
Enabled
Computer
Configuration\Administrative
Templates\Windows
Components\Credential User
Interface\Require trusted path for
Windows Server 2008 Security Standard
credential entry
Disable remote Desktop Sharing
Enabled
Computer
Configuration\Administrative
Templates\Windows
Components\NetMeeting\Disable
remote Desktop Sharing
7 Enforcement of Standard Configuration
Security is an ongoing process, to ensure the ongoing enforcement of this standard
configuration, the following processes apply:

An ongoing process of review of server configuration will be carried out on a
annual basis.